-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.0386
Multiple Vulnerabilities in IBM Java SDK affect IBM Notes Standard Client
16 February 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Notes
Publisher: IBM
Operating System: Linux variants
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-0494 CVE-2016-0483 CVE-2016-0475
CVE-2016-0466 CVE-2016-0448 CVE-2016-0402
CVE-2015-8540 CVE-2015-8472 CVE-2015-8126
CVE-2015-7981 CVE-2015-7575 CVE-2015-5041
Reference: ASB-2016.0004
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=swg21976200
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affect IBM Notes
Standard Client
Document information
More support for:
IBM Notes
Security
Software version:
8.5, 8.5.1, 8.5.1.5, 8.5.2, 8.5.2.4, 8.5.3, 8.5.3.6, 9.0.1, 9.0.1.5
Operating system(s):
Linux, Windows
Reference #:
1976200
Modified date:
2016-02-11
Summary
There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version
6 SR16FP15 that is used by IBM Notes Standard Client. These issues were
disclosed as part of the IBM Java SDK updates in January 2016 and includes the
vulnerability commonly referred to as SLOTH.
Vulnerability Details
CVEID:
CVE-2016-0494
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to
the 2D component has complete confidentiality impact, complete integrity
impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/109944
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID:
CVE-2016-0483
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit
related to the AWT component has complete confidentiality impact, complete
integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/109945
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID:
CVE-2015-8472
DESCRIPTION:
libpng is vulnerable to a buffer overflow, caused by improper bounds checking
by the png_get_PLTE() and png_set_PLTE() functions. By persuading a victim to
open a specially crafted PNG image, a remote attacker could overflow a buffer
and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 6.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/109392
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
CVEID:
CVE-2016-0475
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit
related to the Libraries component has partial confidentiality impact, partial
integrity impact, and no availability impact.
CVSS Base Score: 5.8
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/109946
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVEID:
CVE-2016-0466
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit
related to the JAXP component could allow a remote attacker to cause a denial
of service resulting in a partial availability impact using unknown attack
vectors.
CVSS Base Score: 5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/109948
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID:
CVE-2016-0402
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to
the Networking component has no confidentiality impact, partial integrity
impact, and no availability impact.
CVSS Base Score: 5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/109947
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID:
CVE-2015-7575
DESCRIPTION:
The TLS protocol could allow weaker than expected security caused by a
collision attack when using the MD5 hash function for signing a
ServerKeyExchange message during a TLS handshake. An attacker could exploit
this vulnerability using man-in-the-middle techniques to impersonate a TLS
server and obtain credentials.This vulnerability is commonly referred to as
SLOTH".
CVSS Base Score: 7.1
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/109415
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)
CVEID:
CVE-2016-0448
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to
the JMX component could allow a remote attacker to obtain sensitive
information resulting in a partial confidentiality impact using unknown attack
vectors.
CVSS Base Score: 4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/109949
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CVEID:
CVE-2015-5041
DESCRIPTION:
A flaw in the IBM J9 JVM allows code to invoke non-public interface methods
under these circumstances. Untrusted code could potentially exploit this. This
could lead to sensitive data being exposed to an attacker, or the attacker
being able to inject bad data.
CVSS Base Score: 4.8
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/106719
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID:
CVE-2015-7981
DESCRIPTION:
libpng could allow a remote attacker to obtain sensitive information, caused
by an out-of-bounds read in the png_convert_to_rfc1123 function. An attacker
could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107740
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:
CVE-2015-8540
DESCRIPTION:
libpng is vulnerable to a buffer overflow, caused by a read underflow in
png_check_keyword in pngwutil.c. By sending an overly long argument, a remote
attacker could overflow a buffer and execute arbitrary code on the system or
cause the application to crash.
CVSS Base Score: 9.8
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/109219
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:
CVE-2015-8126
DESCRIPTION:
libpng is vulnerable to a buffer overflow, caused by improper bounds checking
by the png_set_PLTE() and png_get_PLTE() functions. By persuading a victim to
open a specially-crafted PNG file, a remote attacker could overflow a buffer
and execute arbitrary code on the system.
CVSS Base Score: 7.8
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/108010
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Affected Products and Versions
IBM Notes Standard Client 9.0.1 through Notes Standard Client 9.0.1 FP5IF1
IBM Notes Standard Client 8.5.3 through Notes Standard Client 8.5.3 FP6IF8
All 9.0 and 8.5.x releases of IBM Notes Standard Client prior to those listed
above
Remediation/Fixes
IBM Notes Standard Client - Multiple vulnerabilities in IBM Java 6 SR16FP15
affect IBM Notes Standard Client are also tracked as SPR KLYHA5YRMV. Refer to
the JVM tab in the technotes linked below for download links to a single
standalone Java patch that addresses these vulnerabilities.
Interim Fixes & JVM Patches for 9.0.1 Fix Pack 5 versions of IBM Notes, Domino
& iNotes
Interim Fixes & JVM Patches for 8.5.3 Fix Pack 6 versions of IBM Notes, Domino
& iNotes
Customers who remain on the following releases may open a Service Request with
IBM Support and reference SPRs KLYHA5YRMV for a custom hotfix:
IBM Notes Standard Client 9.0.1 though Notes Standard Client 9.0.1 FP5 IF1
IBM Notes Standard Client 9.0.0x
IBM Notes Standard Client 8.5.3 through Notes Standard Client 8.5.3 FP6IF8
IBM Notes Standard Client 8.5.2x
IBM Notes Standard Client 8.5.1x
Workarounds and Mitigations
For CVE-2015-7575:
Java 6 requires code changes in the JSSE component in addition to the
java.security file modifications, so upgrading the JDK is the only solution.
Administrators can help to protect their Domino servers against unauthorized
access by strictly limiting the use of Java functions on the server through
careful population of the
Programmability Restrictions
section on the Security tab of the Server document. In particular, IBM
recommends prohibiting server access by untrusted code, Java or otherwise.
Likewise, administrators can use Policies to configure Notes Standard Client
Execution Control Lists
to limit such attacks against the Notes Standard client.
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
References
Complete CVSS v2 Guide
On-line Calculator v2
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affect IBM Domino
(technote 1976262)
Acknowledgement
CVE-2015-7575 was reported to IBM by Karthikeyan Bhargavan at INRIA in Paris,
France
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVsKr8n6ZAP0PgtI9AQIp3Q//bH5b01p/c1kjyloTAumDapQ4AmwnqVtN
kHHauj0SpPhDlOzHAljz2y7BskbvHgkBVGwLA9I3ga1Jr9a+/GNoIKbBoIbjMcNz
wKcJJgB4Jc5EyvR9LrVuxWGeZF7MpZdCazc2Q1LqTR1l7EcNo5BRsxGt354OZtaR
+kmkQ88xovfOVnQ0oDa0/fDZAFs9rkiWRv1VvBvhbRMhMwGKOE3RtUmq0AB/O6RP
4m3IX0EY0PJfJ50Fqq+zcVnH8iSrS67mubF0NzjAxClcyCs2htkSpyhyPxw+EFSo
2wuGuofCc9YJGIxIubsBZqWp3L0t6dNJAOTlp6MFN5kg3EKP7cwdyRLmlNm2O8R6
Ez4pXmjKARxHQlmICtDrFvEpj+pjMK/V+5aZlGhhGav1rj5/5/9G+W+rO98Eyz6+
9d8VG4/DKMYOcPOs1ibZ/bcMDBr5UeU6b7q971SX5tIyODpt3fBrQN7bwxqWV6Uw
dTE6mQ96n7wNKB7rV4GeySFjP7RAsFGaeGWBeVHojRPx+IoXkAOrhjIINLgOHyX5
wB5ugpkvcVxsS/0LgnrcstJIAKCEJJigEwKfT3C2q2MHE/72gev5Q1SIMMd3uHsf
yJ1F5rJNnegcBBOpPOqtNK1KkMberxDlpkioWGLZLWF2p7rk0tdOostxHW4yDdKx
wTOUjVKVz7A=
=gpLb
-----END PGP SIGNATURE-----